What is Strong Customer Authentication?

On September 14, 2019, new legislation called Payment Service Directive 2 (PSD2) will come into effect, which aims to reduce fraud and make online payments more secure. As a result, when charging (or authorizing) a card that isn’t physically present or charging cards remotely, you’ll have to perform Strong Customer Authentication (SCA).

Strong Customer Authentication means your guests’ identities will need to be verified thoroughly. In other words, guests need to prove they’re the card owners through at least two of the three methods* of authentication below:

Image
graphic_strong_customer_authentication

*Something the customer knows (password or PIN), has (phone or hardware token), or is (fingerprint or face recognition).

Note: Starting September 14, 2019, banks will decline payments that require Strong Customer Authentication but don’t meet these criteria.

 

Jump to:

When will Strong Customer Authentication apply?

How will Booking.com support me?

All payments managed by Booking.com

Why is the new legislation called PSD2?

What is SCA under the new PSD2 directive?

In which territories will SCA under PSD2 apply?


When will Strong Customer Authentication apply?

Strong Customer Authentication will apply if you’re charging a credit or debit card that’s issued by a European Economic Area (EEA) entity and you’re based in the EEA. Whenever you attempt to charge a card that isn’t physically inserted into your Point of Sale machine, Strong Customer Authentication will need to be applied.

 


How will Booking.com support me?

Any reservations that are facilitated via Online Payments will have Strong Customer Authentication taken care of by Booking.com. 

Payments partially managed by Booking.com

If you’re already using Online Payments with some of your payments facilitated by Booking.com, this is how we’ll support you:

  • If a guest pays through our Online Payments service, we’ll take care of authenticating their payment transaction. You won’t need to do anything.

  • If a guest chooses to pay you directly, SCA may apply. If you normally charge guests’ cards in person during check-in or check-out, you can continue to do this the same way. SCA shouldn’t apply. If you charge guests remotely (e.g. for prepayments, deposits, or no-show fees), SCA may apply. In these cases, we’ll support you and do our best to minimize operational impact.

 


All payments managed by Booking.com

If you’re using Online Payments and have all your payments facilitated by Booking.com, you don’t need to take any action. We’ll authenticate all payment transactions for your Booking.com reservations.

What if I don’t want to use Online Payments?

We can only support you with SCA if you sign up for Online Payments. If you choose not to sign up for Online Payments, you’ll need to manage your guests’ payments and handle Strong Customer Authentication requirements. For more info, contact your bank or take a look at the links we’ve shared in the "Next steps" section below. 

What should I do if I’m not eligible for Online Payments?

Contact your bank to learn more about the PSD2 legislation and make sure you’re meeting the SCA requirements. You can also take a look at the links we shared in the "Next steps" section below. 

What should I do if I experience declined transactions?

If you experience declined transactions, use the invalid credit card process to mark guest cards as invalid. To help you successfully charge customer cards, we're currently enhancing the invalid credit card process in line with SCA requirements. We’ll provide you with regular updates about this solution.

Next steps

We’ll post more content about Strong Customer Authentication and clarify how the legislation could impact you, as well as how you can prepare for its introduction.

In the meantime, learn more about SCA from Adyen, Stripe, or JPMorgan.


Why is the new legislation called PSD2?

PSD2 stands for Payment Service Directive 2, an iteration of the current payment service directive. The iteration calls for even stronger customer authentication for online payments/purchases. Strong Customer Authentication is referred to as SCA. So PSD2 is the regulation itself whereas SCA refers to the actions needed to comply with PSD2.


What is SCA under the new PSD2 directive?

Strong Customer Authentication (SCA) means customers will have to take extra steps during the payment process for purchasing anything online, or when a card is not physically inserted into a Point of Sale machine. By doing this, the customer will prove that they’re the cardholder, thereby reducing fraud.


In which territories will SCA under PSD2 apply?

Within Europe, meaning the business from which a customer wants to purchase something is in a country within the EEA, and the customer’s bank/credit card company is also located within the EEA.

PSD2 applies to the following countries:

  • Austria

  • Belgium

  • Bulgaria

  • Croatia

  • Republic of Cyprus

  • Czech Republic

  • Denmark

  • Estonia

  • FinlandFrance

  • Germany

  • Greece

  • Hungary

  • Iceland

  • Ireland

  • Italy

  • Latvia

  • Liechtenstein

  • Lithuania

  • Luxembourg

  • Malta

  • Monaco

  • Netherlands

  • Norway

  • Poland

  • Portugal

  • Romania

  • Slovakia

  • Slovenia

  • Spain

  • Sweden

  • UK